February 2, 2016 • RFSID
You do want to improve your threat intelligence strategy, right?
I mean, who wouldn’t?
Isn’t it every CISOs wildest dream to run a ship so tight that not a single exploit, APT, or hacktivist threat could ever hope to make it through?
Well … yes, it probably is. But it shouldn’t be.
Let me explain.
The problem is that as someone gets closer and closer to the idea of optimizing their threat intelligence strategy, they lose sight of the big picture.
The collection, dissemination, and use of threat intelligence has only one real purpose:
To reduce operational risk in order to maintain or improve profitability.
Of course, that’s no easy feat.
Breaches are increasingly common, and with the troubling new trend toward data destruction the risk of long-term damage has never been higher.
So what’s my point?
Simply this. Threat intelligence is a massive subject, and it’s natural to want to produce the most comprehensive range of intelligence possible … but that’s not always useful. In fact it’s usually not.
By concentrating intelligence efforts on highly specific business objectives (e.g., to maintain or improve profitability), this broad subject can be narrowed down to the point where a small amount of highly valuable intelligence is produced.
With this principle firmly in mind, let’s look at some ways to enhance your threat intelligence strategy.
Broadly speaking there are three primary means of gathering cyber threat intelligence.
Signals intelligence (SIGINT) results from intercepting and analyzing signals, usually those used for communications. This includes monitoring of all signals incoming to your networks.
Open source intelligence (OSINT) comes from publicly available information. Technically this includes all sorts of books, publications, radio, television, and so on … but for our purposes it’s intelligence sourced from the Internet, whether through search engines or focused “crawling” technology.
Human intelligence (HUMINT) is a little different. Where SIGINT and OSINT are primarily passive forms of intelligence collection, often taking the form of automated software, HUMINT is largely active. It could, for example, include human sources within threat actor communities.
So which is best?
Well, threat intelligence is useful because it enables us to take a proactive approach to security, so essentially this comes down to a breadth versus depth argument.
Passive threat intelligence gathering will turn up huge amounts of intelligence, which will inform the bulk of counter-measures … but active intelligence can shed light on specific threats that might otherwise cause massive damage.
Unsurprisingly, the ideal solution would be to utilize both.
There’s just one problem. Whilst nation states continue to invest heavily in HUMINT, most organizations simply don’t have the resources to do so.
It’s tempting, then, to rely solely in OSINT. It’s freely available in huge quantities, it yields some excellent results, and there are a plethora of excellent platforms available to exploit it.
But that would be a mistake.
Firstly, by investing time and resources in the analysis of your own incoming traffic (SIGINT) you’ll spot anomalies that relate specifically to you. Clearly, this is invaluable in the ongoing fight to maintain or enhance profitability.
Secondly, HUMINT data is not as elusive as it might seem. In fact, human “tip” data is evident throughout the Internet, it’s just difficult to aggregate and correlate it all into a useful format. This is where threat intelligence platforms really shine.
Strictly speaking this is a crossover between OSINT and HUMINT, but let’s not split hairs. By investing in a quality threat intelligence product, you can gain access to a broad array of usable HUMINT sources without investing huge amounts in active intelligence gathering.
Isn’t it a beautiful time to be alive?
The thing about threat intelligence is that you never seem to have enough.
Most companies start out small. Maybe a few of the “tech guys” start regularly checking security blogs, forums, and exploit databases looking for clues to help them secure the organization’s networks.
And of course, the more they look, the more they find.
After a while the job gets too big, and something has to be done. With a bit of time and effort a basic threat intelligence program is built … and for a while all is well.
A few months pass. Inevitably, the platform’s shortcomings are exposed, and further development is required.
You can see where this is going, can’t you?
Eventually a point is reached where further development is simply not feasible. Either the platform needs to be rebuilt from the ground up, or it needs to be replaced with a vendor-built alternative.
Yup, that age old question: Build or buy?
There are so many variables to address and questions to ask in order to make this decision, so I’m afraid I can’t tell you what to do.
Will the platform need to scale? Do you have the skills and manpower to build your own? Can you do it better than anyone else?
These are questions you’d ask of any IT project. There are, however, two questions that I believe must be asked when it comes to your threat intelligence platform:
If you’re in a position to build and maintain a comprehensive threat intelligence platform, which will continue to function for 3-5 years, it may be worth your while to do so.
Equally, if your organization is radically outside the norm, and vendor-built platforms won’t do the job, you may be forced to build your own.
If, however, you don’t fall into these categories, vendor-built platforms have many advantages.
The threat landscape is progressing at a tremendous rate, and vendors focused specifically in this area are constantly developing and refining their platforms. So while it might be a greater investment than you were hoping to make, trusting the specialists could well be a decision you look back on fondly.
I know, I know.
It’s tempting to focus exclusively on the latest threats, and pore over the last week’s incoming signals data trying to identify nefarious (micro) trends.
But if you get lost in the minutiae you risk falling prey to other, more enduring threats.
Let’s not forget, most breaches aren’t the result of cutting-edge malware or state-sponsored cyber espionage. Most breaches result from completely mundane events, such as lost passwords, careless online activity, and petty theft.
So shouldn’t we instead focus on larger time periods? Can we successfully defend ourselves simply by identifying macro threat trends and preparing for them?
Here’s the problem. Unlike most forms of analytics, threat intelligence must identify both macro and micro threat trends in order to be useful, because a single breach can cause massive long-term damage to even the largest organizations.
Take 2014, for example.
Anyone paying attention to the threat landscape around that time would have noticed a sudden and marked increase in destructive cyber attacks against high-profile organizations. Taking a purely macro approach to threat trend analysis at that time would have placed an organization in great short-term danger of suffering a breach they weren’t prepared to deal with.
But fast-forward to 2016. Destructive cyber attacks are still a serious threat, and would clearly fall under the umbrella of macro trends.
We’re also seeing a big move towards increasingly sophisticated phishing and spear phishing attacks, and away from payload-based malware attacks. Knowing this, we’re much better able to allocate our resources in line with business objectives.
So what does all this tell us?
Basically, your threat intelligence must cover both macro and micro time periods in order to minimize the risk of suffering a serious breach.
But there’s a silver lining.
By understanding macro threat trends, it’s much easier to spot (and respond to) anomalous threats within a smaller time period. In other words, macro threat trend analysis provides the context for micro threat trend analysis.
Or, as Levi Gundert puts it in his white paper “Aim Small, Miss Small”:
In addition to addressing defensive control improvements, analysts should be using collective data points to prognosticate on perceived future threats.
If the majority of threat actors are doing one thing, but you start to see something wildly different in your incoming signals data, you might want to sit up and take notice.
Remember the golden rule?
Your threat intelligence strategy must help the organization stay profitable.
It’s a sad fact, but one of the most common issues with threat intelligence is not the collection or processing of intelligence. It’s the communication of intelligence between different areas of the organization.
Red teams, security operations centers (SOCs), incident response (IR), vulnerability management … these are all areas that can benefit dramatically from high-quality threat intelligence.
Not only that, if they’re involved early enough they can inform on which specific aspects of threat intelligence will help them to do their jobs, which in turn helps the organization stay profitable.
This may seem like stating the blindingly obvious, but I can’t stress the importance of this point enough.
If the only thing you do after reading this article is investigate the way intelligence is disseminated within your organization, it will have been worth your time.
I can almost guarantee you’ll find someone who isn’t receiving the intelligence they need … and they might not even be aware of it.
When it comes to threat intelligence there is a wide (and widely publicized) knowledge gap, and it’s roughly the size and shape of the average C-suite.
This needs to change.
But before you start bemoaning the state of C-suite cyber knowledge, I’m afraid I have some bad news. The knowledge gap isn’t necessarily the fault of C-suite members … it’s the fault of cyber specialists who lack the ability to translate these very real cyber threats into language that leaders can understand and act upon.
Thankfully, rectifying this is simple, so long as C-suite members are willing to listen.
Engage with them.
Ask them what they need, and how they need it. These are exceptionally busy people, and they need poignant, useful information in a format they can digest and understand easily. More importantly, they need information they can act upon, take to the shareholders, or use to allocate budgets.
Stop complaining that you’re not getting the support you need from above, and start proactively helping them understand what they can do to help.
Cultural change can be difficult, but it’s in everybody’s best interests.
When it comes down to it, threat intelligence is as complicated as you want it to be. There’s always something else to test, more logs to check, and new research to pore over.
But while you’re doing that, I hope you’ll keep asking yourself the same question: Will this help the organization stay profitable?
And any time the answer is no, I hope you’ll put it down and move on.
After all, there’s plenty more where that came from.
This information is also available to view as a SlideShare presentation.